Slashdot Mirror
How To Catch A Scammer/Spammer
Joe 90 writes "An interesting story got posted on the Irish Linux Users group. It involves the arrest of a scammer/spammer working in an internet cafe. It even includes the attempt to eat a usb pen drive, several cops and a 10 minute struggle to subdue the man. Story is available on the Linux.ie mailing list
By the way Gardai = the cops in Ireland."
No wonder there was a struggle!
Comment removed based on user account deletion
I kinda like all the stories I have read here about /.ing the spammers and signing them up for junk snail-mail and the like. (and if anyone can find me the link to the old story, I'd appreciate it)
A unmamed man aprehended a scammer and a spammer,a nd put them in the slammer using only a scanner and a spanner!
Or something like that........
Fellowship 9/11
It's a comforting thought to know that there actually is legal action being taken against those suckers. :) I think it's a proof that he knows he's in deep trouble :)
I find it very amusing to read how the spammer tries to struggle and fight back the cops
From the article:
Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate).
You know, more people should mention what they're drinking when relating news like this.
There is an interesting and [somewhat] related article on The Register.
I want to drag this out as long as possible. Bring me my protractor.
I hate spam more than I hate crackers
But yet combining spam and crackers can be quite a tasty treat.
No! Say it ain't so! It's bad enough we export McDonald's and Britney, but now we're exporting our political-correctness?
An "African-American" is a person of African origin living in America. Not all African-Americans are black, and not all blacks are African. Certainly it would be a strange coincidence if this black person in Dublin was visiting from America, and also happened to be originally from Africa.
This stuff hurts my head.
The House Between - Original Sci-Fi Series
So he would be an Irish-American? Err, wait...
Typos... that's just how I role.
i'm trying to picture a revived miami vice, focused on computer crimes. imagine the possibilities. ok, there aren't many...
/.'rs are pretty, um, passionate on privacy and gov't intrusion, even if this IS an (alleged!) spammer who by definition is not humanoid. :)
congrats to the irish police for taking the offense so seriously. but is anyway here wary of the snooping involved? yes the sysadmin had every right to monitor traffic, but in what depth and for what purpose? for example, there's talk here of trying to fish out the suspect's email password and so on -- at police request. wouldn't it would feel a bit different in the police, without warrant, were to do the same themselves -- imagine worst case of them bugging all internet cafes to examine generic traffic without individualized suspicion. it's bad enough they want to see what we do at the library....
practically speaking, i would imagine the government generally lacks the resources to parse large amounts of computer data. but just wait until it can be done by computers hunting for suspicious transactions, much as the credit card companies do now to catch fraud. the capability is there.
i'm not sure where the legal stuff comes out here, this is not US law, but wonder about future possibilities. it is debatable what expectation of privacy you have in an internet cafe -- are keyloggers ok? is decrypting information different from reading plain text? must the user be warned? as an analogy, consider that when the federal exclusionary rule was first judicially established, it did not apply to states and the "silver platter doctrine" emerged whereby state investigators would get what the feds wanted and hand it over clean of any search and seizure problem. obviously this is a charade.
someone who acts at the behest of the government -- an agent -- pretty much *is* the government, and i wonder if this interpretation colors the reaction of anyone here on privacy -- normally
I just sent you an email containing:
1. The meaning of life.
2. The location of $1,000,000 I buried 10 years ago.
3. How to get any woman you want.
4. How to stay young and live forever.
Oh well.
Well, let's all start flood pinging it before we start to start thinking about our actions, its neighbor IPs, or whether the information is even really accurate :)
He's being sarcastic and poking fun of the spread of the term "African-American." My students write in their exams all the time about "African-American" tribes in Africa. A friend who teaches in England has had exchange students from America ask about "African-American" history in England.
Sorry, that doesn't solve the whole spam problem. Your mail server is still getting hammered by spam, it's just that you aren't seeing it. You are still paying for, directly or indirectly, the bandwidth that is being gobbled up by all the unwanted email that is sent to you.
No! Say it ain't so! It's bad enough we export McDonald's and Britney, but now we're exporting our political-correctness?
An "African-American" is a person of African origin living in America. Not all African-Americans are black, and not all blacks are African. Certainly it would be a strange coincidence if this black person in Dublin was visiting from America, and also happened to be originally from Africa.
It almost killed me when I heard a US newscaster refer to Nelson Mandela as African-American.
When your world is all round pegs, what can you do when you encounter a square one?
Best Line: "Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them."
VENI, VIDI, VICI, DIXI
And it also means that I can't email you, since I don't know your password, and the only way I could get your password is by asking you, and the only way I could ask you - since I don't have your address or phone number - is by emailing you.
Doubtless that doesn't bother you, as you probably aren't interested in getting email from me. I, on the other hand, do frequently receive personal email from strangers. Your "solution" is worthless to me.
Except that now, anyone who cares to do a simple whois lookup on the domain ww.com will quickly find himself in the posession of your name, address, and phone number, in addition to your e-mail.
Not that anyone will call. But still, maybe you'd better think about that?
People generally don't care that much about the decreased bandwidth - a problem which can also be solved - use port knocking algorithm of some kind!
And besides, spamming is pretty sophisticated these days, if the mail delivery fails, the target e-mail is often removed from the list of e-mail addresses they are trying to send scam e-mails to ( as far as I know )
I promise I'm not a spammer, I am interested in the subject though.
I do believe whitelisting is the way to go!
Only way to be sure!
The thought of one of these 419 scammers desperately trying to break free of the grasp of the police in order to run back and hit a kill switch on his notebook computer makes my nipples explode with delight.
And twelve-thousand horny Slashot geeks go into neurotic spin-lock over gender uncertainty.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Eh how about you read the mail.
Our cafe was *BLACKLISTED* by spamcop. I checked the logs. I found his MAC address and when he came in with his laptop. I asked the staff. They described him. He came back and I caught him red handed.
And I would have gotten away with it, if it wasn't for you meddling kids!
Hrrm... I usually just sign my name.
Some of you who were on #linux on friday will know part or most of this story already as i witnessed some of it (while drinking a truly delicious hot chocolate). For those of you who don't, the following is a report written up by a friend of mine on his succussful (or at least, it's looking good) attempt to stop and catch a 419 scammer. I feel it's worth the read
,
John
-------- Original Message --------
Subject: I fought the scammer... and I won.
Date: Fri, 02 Apr 2004 21:54:30 +0100
From: Steffen Higel
To: John Allman
paulinemccaffrey at eircom.net, stevecash at ireland.com, tony.odonnel at cs.tcd.ie, declan.dagger at cs.tcd.ie, edwin.higel at brookside.ie, marynstanley at eircom.net, richard.bannister at cs.tcd.ie, oconnoat at tcd.ie, jean.higgins3 at mail.dcu.ie
[This is long, and is quite heavy on the technical discussion. Skip the bits you don't understand. It gets interesting.]
I work for a busy Dublin Internet cafe, doing some sysadmining and general computer maintenance. On Sunday the 28th of March, I got a rather distressing email from a sysadmin in a large U.S. University. Spamcop had blacklisted our server's external IP address. Abuse mail for the server in question gets sent to my college account (bad practice, I know, but it's a part time job). My college uses Spamcop as a blacklist source. You can probably tell what happened...
Anyway, said email included the full headers of an email which was natted by our server pretending to be from the widow of Mr. Jonas Savimbi, offering the recipient a share of an unspecified large sum of money. The usual panicked thoughts kick in... "Have I fiddled with something which has left us as an open relay?", "Has our server been cracked?", "Have I been sleep-spamming again?". A more reasoned examination of the headers showed that the mail had originated from one of the IP addresses that we assign dynamically to people who bring laptops into the cafe. This is something of a nightmare for cafe operators, we can hardly block outbound smtp but then again it isn't possible for us to manually check every single mail either. Maybe rate limiting is a valid technical solution. Or a contraption which hits the user on the head for every mail they send. So if they send 1 an hour, it's a mild nuisance. But if they send 100 a minute, it'll probably kill them.
A peek through the logs revealed:
Mar 26 15:04:16 server dhcpd-2.2.x: DHCPDISCOVER from 00:40:f4:5d:aa:f7
via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPOFFER on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:17 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPREQUEST for 192.168.1.70 from
00:40:f4:5d:aa:f7 via eth1
Mar 26 15:04:20 server dhcpd-2.2.x: DHCPACK on 192.168.1.70 to
00:40:f4:5d:aa:f7 via eth1
Bingo. I had something to work with. The network card is one based on a Cameo 32bit chipset. Matches up quite nicely with these:
Return-Path:
Received: from 192.168.1.70 (server.XXXXXX [XXXXXXX.29])
byXXXXXXXXXXXXXXXXXX) with SMTP id i2QFrgi0002755
for ; Fri, 26 Mar 2004 10:53:44 -0500 (EST)
Reply-To: "michelle savimbi"
From: "michelle savimbi"
To:
Subject: urgent response
Date: Fri, 26 Mar 2004 15:53:26 +0000
Organization:
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0 00_0034_01C221EC.6C64F7B 0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000ams
X-MimeOLE: Produced by Microsoft MimeOLE V6.00.2800.1165
I asked around, and a man, described as being black (or is the word African-American these days?), roughly 30, with an accent which seemed half London and half African had been in the cafe with a laptop and had a number of visitors call into
It even includes the attempt to eat a usb pen drive, several cops and...
Diet tip of the day: never try to eat cops. That whole pig motif's just a cunning lie.
I've got absolutely nothing to hide,
by Anonymous Coward
Um...
Why not?
You're a cyber cafe, not a shop that's set up with local accounts. Mail should be of one of two types:
Either way, your proxy server should have a default DENY outbound port 25 EXCEPT from your mailserver, which itse'f is handling the authentication for the few accounts that really are allows to send mail.
This space for rent. Call 1-800-STEAK4U
I have bought a domain (let's say johndoe.org) from a very cheap url forwarding company (at a rate of something like $15/year). It comes with unlimited e-mail forwarding aliases, and a "catch-everything" alias (let's say notexisting@johndoe.org), that forwards any e-mail send to non-existing alias to the default e-mail address that I have defined.
:P
:)
The default e-mail address (let's say secret@johndoe.org) is an alias that forwards everything to my real mailbox (let's say johndoe@aol.com). Of course, my real mailbox address, my catch-all address and the "default" address are not given to ANYBODY.
For my communication needs, or whenever asked, I just makeup a e-mail address (jonamazon@johndoe.org for amazon so that I will remember easily what address I use on the site). Since the alias is not setup in the mailserver, when amazon tries to contact me, the e-mail will follow the following alias path:
1) jonamazon
2) notexisting
3) secret (default)
4) real mailbox
When I see an spam message (once in two weeks!!!), I just divert the alias to point to an abuse address of a random spamhaus. The good thing, is that since I use random but descriptive addresses, I can see what websites actually harvest e-mails and sell them to spammers!!!
It is interesting to note that at some point I received e-mail that were addressed at some ridiculus random aliases (e.g. jesus@, happykitty@ etc) of my domain (clearly not used by me). Just an indication of the use of wordlists (of course every such alias got blocked).
I have not yet reached the levels of paranoia of giving seperate e-mail addresses to any of my friends of course
Anyway, it is not as complicated as it looks, and of course way less complicated than using bayesian filters and the like. And believe me, it works